On December 10, 2020, the California Department of Justice (“Department”) announced a fourth set of modifications to the California Consumer Privacy Act’s (CCPA) regulations.  The deadline to submit comments to the modifications is Monday, December 28, 2020.

As a quick recap of past developments related to the CCPA regulations, the Department first published proposed regulations for public commentary on October 11,2019. Then in February of 2020, and again in March of 2020, the Department announced a second and third set of modifications to the proposed regulations, based on comments received during the public commentary period. Finally, in October of 2020, the Department issued a third set of modifications to the regulations, and received approximately 20 comments in response to those modifications. The fourth set of modifications issued this week, were developed in response to those comments, and to “clarify/conform” the proposed regulations to existed law.

The fourth set of modifications to the regulations, primarily aims to clarify ambiguities regarding a consumer’s right to opt out, as well as a company’s use of an opt out button and processing opt-out requests.

Regarding the right to opt out, the modifications clarify that a business selling personal information collected from consumers in the course of interacting with them offline shall inform consumers of their right to opt-out of the sale of their personal information by an offline method. The regulations provide examples to understand this clarification: for example, a business that sells personal information over the phone may inform consumers of their right to opt out orally during the call when the information is collected.

In addition, the latest set of modifications, re – introduced the opt-out button – providing the uniform logo that companies should use when implementing an opt-out button, as well as relevant instructions. It is worth noting that the opt-out button was initially introduced during the first set of modifications to the CCPA regulations, but was later removed, due to negative feedback from privacy advocates.

Here is what the opt-out button will look like:

The latest modifications also add a new section to the regulations, which emphasizes that an opt-out button:

  • May be used in addition to posting the notice of right to opt-out, but not in lieu of any requirement to post the notice of right to opt-out or a ‘Do Not Sell My Personal Information’ link as required by; and
  • Where a business posts the ‘Do Not Sell My Personal Information’ link, the opt-out button shall be added to the left of the text demonstrated below. The opt-out button shall link to the same Internet webpage or online location to which the consumer is directed after clicking on the ‘Do Not Sell My Personal Information’ link.

Finally, the latest modifications provide instructions on a business’s methods for submitting consumer requests to opt-out, highlighting that “requests to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.

The Department will accept written comments to the latest modifications to the CCPA regulations between Friday, December 11, 2020 and Monday, December 28, 2020. Written comments may be submitted to the Department via email to PrivacyRegulations@doj.ca.gov.

It remains to be seen whether these latest modifications to the CCPA regulations will in fact be the final round, but given the active history of modifications, it would not be surprising if there were more to come. Companies should continue to monitor CCPA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

 

A new report released by Global Market Insights, Inc. last month estimates that the global market valuation for voice recognition technology will reach approximately $7 billion by 2026, in main part due to the surge of AI and machine learning across a wide array of devices including smartphones, healthcare apps, banking apps and connected cars, just to name a few. Whether performing a quick handsfree search on your phone or car command while driving, voice recognition technology has enhanced the effortlessness of consumer use. Particularly in the wake of the COVID-19 pandemic, companies that may never have considered voice-recognition technology are now rethinking their employee access control systems, and considering touchless authorization technologies, like voice recognition, as the main form of entry into their workspace, as opposed to fingerprint scanners or keypads that increase the risk of germs or virus spreading.

But while the ease and efficiency of voice recognition technology is clear, the privacy and security obligations associated with this technology cannot be overlooked. Voice recognition is generally classified as a biometric technology which allows the identification of a unique human characteristic (e.g. voice, speech, gait, fingerprints, iris or retina patterns), and as a result voice related data qualifies biometric information and in turn personal information under various privacy and security laws. For businesses that want to deploy voice recognition technology, whether for use by their employees to access systems or when manufacturing a smart device for consumers or patients, there are a number of privacy and security compliance obligations to consider. Here are just a few:

  • EU’s General Data Protection Regulation (GDPR)
    • The GDPR, effective since May of 2018, classifies “voice” as “personal data”. While GDPR Article 4.1 which defines “personal data” does not specifically refer to “voice” but rather, “one or several properties unique to their physical, physiological identity…”, the European Data Protect Board has taken the position that “voice recognition” is an example of a physical or physiological biometric identification technique. For businesses that process the personal data of data subjects (EU residents), those data subjects are granted an array of rights (e.g. right to access, right to delete) along with significant privacy and security obligations on the controllers and processors of that data.
  • California Consumer Privacy Act (CCPA)
    • The recently enacted California Consumer Privacy Act(CCPA) may apply to a business that collects the personal data of a California resident, regardless of whether the organization is located in California. Under the Act, a covered business must provide a resident with information about its data collection practices including the personal information it collects, discloses, and sells, as well as the right to delete to this data and object to its sale. Notably, the Act prohibits an individual from waiving these rights.  The CCPA includes “biometric information” as an enumerated category of “personal information.”. In the Act’s definition of “biometric information” it states that “[b]iometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted”.
  • Biometric Information Privacy Act (BIPA)
    • The BIPA sets forth a comprehensive set of rules for companies doing business in Illinois when collecting biometric identifiers or information of state residents. The BIPA has several key features: • Informed consent prior to collection • Limited right of disclosure of biometric information • Written policy requirement addressing retention and data destruction guidelines • Prohibition on profiting from biometric data. The definition of “biometric identifiers” under the BIPA includes a “voiceprint” (using voice to verify an individual’s identity). Voiceprinting has been the subject of significant BIPA litigation of late, particularly in the context of virtual assistants. While these cases have been tossed for reasons unrelated to voiceprinting itself (e.g. lack of personal jurisdiction), as plaintiffs continue to expand the scope of BIPA targets, companies utilizing voiceprinting will increasingly face exposure to BIPA ligation.
  • Children’s Online Privacy Protection Act (COPPA)
    • Under COPPA there are strict consent requirements for collection and storage of data of children under 13. That said, in 2017, the Federal Trade Commission issued guidance on COPPA in the context of voice recordings, relaxing the rule a bit, “The Commission recognizes the value of using voice as a replacement for written words in performing search and other functions on internet-connected devices. Verbal commands may be a necessity for certain consumers, including children who have not yet learned to write or the disabled… as such when a covered operator collects an audio file containing a child’s voice solely as a replacement for written words, such as to perform a search or fulfill a verbal instruction or request, but only maintains the file for the brief time necessary for that purpose, the FTC would not take an enforcement action against the operator on the basis that the operator collected the audio file without first obtaining verifiable parental consent. Such an operator, however, must provide the notice required by the COPPA Rule, including clear notice of its collection and use of audio files and its deletion policy, in its privacy policy.” While the FTC has to-date not issued any COPPA violations in the context of voice recordings, its requirements should not be ignored.
  • State Statutory and Common Law Mandates to Safeguard Personal Data
    • Multiple states impose an affirmative duty to use reasonable measures to safeguard personal data that an organization collects or owns, which increasingly includes biometric information. The applicability of these laws may depend on the location of the organization’s facilities and the consumer/employee/patient’s state of residency. Many of these safeguarding laws provide a general framework for compliance, without mandating specific measures. However, “reasonable” generally implies safeguards appropriate to the sensitivity of the data, and one need only look to more robust data security frameworks, such as under HIPAA and the Massachusetts data security regulations, to get a sense of what safeguards may be appropriate. These statutory duties to safeguard are driving increased contractual obligations between businesses exchanging personal information to carry out the terms of the agreement. At the same time, some courts have identified common law duties to safeguard personal data.
  • State Mandates Regarding Data Destruction and Disposal
    • Currently, more than thirty states have data destruction and disposal laws. These laws require taking reasonable steps to securely dispose of records containing personal information by shredding, erasing or other methods. States such as Massachusetts include biometric information as a category of personal information subject to these requirements. Organizations should also implement a data retention schedule that ensures the destruction of biometric information, including voiceprints, once it is no longer needed as part of meaningful data destruction practices.
  • State Data Breach Notification Laws
    • All fifty U.S. states have data breach notification laws. In general, these laws require an entity that owns or licenses personal information about a state resident to report a data breach to individuals whose personal information is affected and, in some cases, the state attorney general or other agencies, the media, and credit reporting agencies. Each state has its own definition of personal information, and states such as California, Texas, Florida, and Arizona include health, medical, and/or biometric information. Unauthorized acquisition or access to such personal information, whether by hackers or employee error, can require notifications to individuals creating significant exposure and reputational harm to the organization. Perhaps a greater concern from such a compromise is the exfiltration of voiceprint data that could be used by hackers as credentials to access other user accounts, etc.
  • Vendor Contract Statutes
    • An increasing number of states including California, Massachusetts, New York, and Oregon statutorily require a business to conduct due diligence before sharing or disclosing certain categories of personal information to a third-party service provider, which likely include biometric information. Many of these statutes also require contractually obligating the vendor to maintain safeguards appropriate to the sensitivity of the data, which is a good practice even if a written agreement is not mandated by the statute.

Conclusion

Voice recognition technology is booming, and continues to infiltrate different facets of life that are hard to even contemplate. The technology brings innumerable potential benefits as well as significant data privacy and cybersecurity risks. Organizations that collect, use, and store voice data increasingly face compliance obligations as the law attempts to keep pace with technology, cybersecurity crimes and public awareness of data privacy and security. Creating a robust data protection program or regularly reviewing an existing one is a critical risk management and legal compliance step.

 

On November 3, 2020, Californians approved another significant piece of privacy rights legislation, the California Privacy Rights Act, or the CPRA.  The CPRA amends and expands the already (almost) infamous CCPA (California Consumer Privacy Act), which is the privacy law that went into effect in the Golden State last year.

New Rights under CPRA

The CPRA provides for, among other things, new and expanded rights for consumers.  The new rights under the CPRA include:

  • Right to Correct Information. A consumer may request that a business correct his or her personal information if it is inaccurate. Covered businesses must disclose this new right to consumers and use “commercially reasonable efforts” to correct personal information upon receiving a verifiable consumer request.
  • Right to Limit Sensitive Personal Information. The CPRA created a sub-category of personal information, labeled as “sensitive personal information”. The definition of sensitive personal information includes 20 different data points including for example, racial origin, religious beliefs, sexual orientation and geolocation. A consumer may limit the use and disclosure of sensitive information to that “which is necessary to perform the services or provide the goods reasonable expected by an average consumer who requests such goods and services,” subject to certain exemptions.  For example, a consumer may prohibit a business from disclosing sensitive personal information to third parties, in most cases.  A covered business is required to implement a process (like a clearly labeled link) to allow consumers to limit the use of sensitive personal information.
  • Right to Access Information About Automated Decision Making. Consumers may request information about the logic involved in automated decision-making and a description of the likely outcome of processes.
  • Right to Opt-Out of Automated Decision-Making Technology. Consumers are allowed to opt-out of the use of automated decision-making technology in connection with decisions about the consumer’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Expanded and Modified Rights Under the CPRA

There are also several expanded and modified rights under the CPRA, including:

  • Expanded Right to Know. For personal information collected on or after January 1, 2022, the CPRA allows a consumer to make a request to know beyond the CCPA’s normal 12-month look-back period as long as doing so is not “impossible” or does not involve a “disproportionate” effort.  However, this expanded right does not require a business to keep personal information for any specific period of time.
  • Expanded Right to Opt Out. The CPRA expands the existing opt-out right to include both the sale and “sharing” of personal information, which is defined as the transfer or making available of a “consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.”
  • Modified Right to Delete. Businesses that receive a consumer deletion request are required to notify third parties who bought or received the consumer’s personal information, subject to some exceptions. Service providers and contractors also must pass the deletion request downstream in certain circumstances.
  • Expanded Right to Data Portability.A consumer may request that a business transmit his or her personal information to another entity, to the extent it is technical feasible.
  • Strengthened Opt-In Rights for Minors.  Businesses must wait 12 months before asking a minor for consent to sell or share his or her personal information after the minor has declined to provide it.

Employee Privacy Rights under the CPRA

The CPRA specifically calls out the privacy interests of employees, noting the differences in the relationships between employer and employee versus business and consumer.  (CPRA, Sec. 8, Purpose and Intent).  Like the CCPA, the full scope of rights afforded to consumers under the CPRA is not extended to applicants, employees, and independent contractors, and the CPRA keeps it that way until January 1, 2023, unless the CPRA is further amended. However, employees, applicants, and independent contractors do have the following rights (and employers should be putting processes in place to address these if they do not already have per the CCPA): 1) the right to receive notice at collection; and 2) the right to sue if their sensitive personal information is breached as a result of their employer not having reasonable safeguard in place.

Conclusion

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements. And in case you missed it, here are the first two installments of our CPRA series:

 

In late September, the United States District Court for the Eastern District of Louisiana issued a first of its kind  ruling regarding the Telephone Consumer Privacy Act (“TCPA”). The court held that TCPA provision,  47 U.S.C. § 227(b)(1)(A)(iii) – which prohibits calls (and messages) made using an Automatic Telephone Dialing Systems (“ATDS”)to any cellular telephone number – is unenforceable retroactively for the 5-year period between November 2015, when Congress amended the TCPA to include an exemption for government-debt, until July 2020 when the U.S. Supreme Court ruled the government-debt exception was unconstitutional.

In July the Supreme Court held in Barr v. American Association of Political Consultants (“AAPC”) that Congress impermissibly favored government-debt collection speech over political and other speech, in violation of the First Amendment, and thus must invalidate the government-debt collection exception of the TCPA, and sever it from the remainder of the statute. Despite the potential that the Court would address the constitutionality of the TCPA in its entirety, the Court left untouched the TCPA’s general restriction on calls made with an “automatic telephone dialing system” (“ATDS”).

In response to the Supreme Court’s ruling, the federal court in Louisiana emphasized that,

Congress’s 2015 enactment of the government-debt exception rendered § 227(b)(1)(A)(iii) an unconstitutional content-based restriction on speech. In the years preceding Congress’s addition of the exception, § 227(b)(1)(A)(iii) did not discriminate on the content of robocalls, and was, as the Supreme Court has observed, a constitutional time-place-manner restriction on speech.  Likewise, now that [American Association of Political Consultants] has done away with the offending exception, § 227(b)(1)(A)(iii) figures to remain good law in the years to come.  However, in the years in which § 227(b)(1)(A)(iii) permitted robocalls of one category of content (government-debt collection) while prohibiting robocalls of all other categories of content, the entirety of the provision was, indeed, unconstitutional.

This groundbreaking Louisiana decision has already started a trend in court analysis of the issue. Only weeks later, a federal district court in Ohio issued a similar ruling granting defendant’s motion to dismiss in Lindenbaum v. Realgy Inc., in light of the retroactive impact of AAPC.

The plaintiffs in AAPC sought the right to speak going forward on the grounds that the statute, as written, is an unconstitutional content-based restriction. The Supreme Court denied that relief, but offered a remedy in the form of eliminating the content based restriction. But, in our case, severance of the content-based restriction does not offer a “remedy” to correct past harm. Here, defendants do not seek the right to speak, having already done so. They seek the right to be free from punishment for speaking during a time when an unconstitutional content-based restriction existed. A forward-looking fix offers no remedy for this past wrong.

As many currently active TCPA cases involve calls/texts/faxes sent between November 2015 and July 2020, these rulings have the potential to have an immediate and significant impact on TCPA class action litigation.  The rulings’ impact is heightened by the fact the courts dismissed each plaintiff’s claims on grounds that the court lacked subject matter jurisdiction as “federal courts lack authority to enforce unconstitutional laws.”  A subject matter jurisdiction dismissal is available in all phases of litigation, and cannot be waived, increasing the number of cases that could potentially be impacted by the court’s ruling.

Notably, the Louisiana court acknowledged the likelihood of a circuit split arising from its ruling, but placed culpability for this on the Supreme Court’s decision in AAPC that lacked a “clear majority” – Justice Kavanaugh authored a plurality decision. “The court’s failure to unite behind a sufficiently agreeable rationale does a disservice to litigants and lower courts…Here, it has led the parties to wildly dissimilar understandings of AAPC’s legal effect — all in the utmost good faith and preparation. In the future, it may engender a circuit split which confronts the court anew.”

2020 has been an important year for TCPA developments, and 2021 is likely to be much of the same. Organizations are advised to review and update their telemarketing and/or automatic dialing practices to ensure TCPA compliance.

In case you missed it, here are several other TCPA updates of late worth reviewing:

Already at the cutting edge of U.S. privacy law, California jumped even further ahead of the pack with the recent approval by State voters of the California Privacy Rights Act (“CPRA”).  The CPRA, which builds upon the already extensive framework of privacy rights and obligations established in the California Consumer Privacy Act (“CCPA”), is likely to be met with weariness by many subject organizations, which have, over the past couple years, invested significant effort and resources to come into compliance with the CCPA.

Through this post, and those that follow in our CPRA Series, we will attempt to lessen that burden by identifying and discussing key features of the CPRA and how those features impact organizations’ existing CCPA compliance programs.

Notice At Collection

One important step subject organizations will need to take in response to the CPRA is to update their CCPA notices at collection.  Under the CCPA, an organization is required to provide to consumers – a category which includes employees, applicants, and contractors – a notice that discloses the categories of personal information the organization collects and the purposes for which it uses that information.

When the CPRA takes effect in January 2023, organizations will be required to augment their notices to include three additional categories of disclosure.  Specifically, they will need to:

  1. disclose whether they sell or share personal information;
  2. make disclosures related to their collection, processing, and disclosure of “sensitive personal information,” a new category of information created by the CPRA, which we further discuss below; and
  3. disclose the length of time they intend to retain each category of personal information, or, if that would not be feasible, the criteria they will use to determine that retention period.

Privacy Policy

The passage of the CPRA will also require subject organizations to revisit their privacy policies.  The CCPA requires organizations to develop and post online a privacy policy that informs consumers about the existence of, and provides guidance on how to exercise, their CCPA rights.  For instance, their right to know what personal information about them organizations collect, disclose, or sell; their right to request the deletion of that information; and their right to opt-out of its sale.

The CPRA modifies certain of the rights provided for in the CCPA, while also adding several that are novel.  Specifically, the CPRA:

  • enlarges the CCPA’s 12-month look-back period for requests to “know” (while affording organizations an opportunity to deny expanded requests if compliance would be “impossible” or “involve a disproportionate effort”);
  • adds to the CCPA-established right to opt-out of the sale of personal information a new right to opt-out of the sharing of that information;
  • requires organizations, in the event they receive a deletion request, to direct any service providers, third parties, and/or “contractors” (a new category created by the CPRA) to whom they sold the personal information at issue, or with whom they shared it, to delete that information;
  • creates a new category of personal information – “sensitive personal information” – and empowers consumers to direct organizations to limit their use of such information; and
  • grants consumers the new right to request that organizations correct inaccuracies in their personal information.

Prior to the effective date of the CPRA, organizations will need to update their notices at collection and privacy policies to address the new and modified rights it grants consumers.  For assistance with these updates, please reach out to a member of the Privacy, Data and Cybersecurity group or the Jackson Lewis attorney with whom you regularly work.

During the California Consumer Privacy Act’s (“CCPA”) amendment process prior to enactment, personal information in the employment context was highly contested and has continued to be a point of deliberation even after the CCPA’s effective date last January 1, 2020.  CCPA excludes certain employment-related personal information from most of the act’s requirements until January 1, 2021. This exemption was extended by the California Privacy Rights Act (“CPRA”) (a ballot measure supported last week by a strong majority of  California voters) until January 1, 2023.[1]

Under CCPA, unlike consumers generally, employees, applicants, and independent contractors may not request: the deletion of their personal information; to opt-out of the sale of their personal information; or information concerning the categories of personal information collected, the sources from which personal information is collected, the purpose for collecting or selling personal information; or the categories of third parties with whom the business shares their personal information.  Additionally, prior to CPRA, employees, applicants, and independent contractors, did not have anti-discrimination/retaliation rights under the law.

Anti-Discrimination/Retaliation Provision

The CPRA expands the existing anti-discrimination rights to employees, applicants, and independent contractors.  Section 1798.125 (a)(1)(E) states that “[a] business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights…including…retaliating against employee, application for employment, or independent contractor…”

Thus, although employees, applicants and independent contractors are temporarily excluded from most of the CCPA’s protections, two areas of compliance presently remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.

In light of the expansion of this provision, employers now cannot discriminate and/or retaliate against employees, applicants, and independent contractors exercising their rights to: i) receive a notice at collection concerning their personal information , and ii) file a private right to action following a data breach involving their personal information caused by the failure of the employer to maintain reasonable safeguards.  Additionally, if CPRA is not amended to extend the exemption beyond December 31, 2022, employees, applicants and independent contractors will receive full rights under the CCPA.  If so, on and after January 1, 2023, employers subject to the CCPA will not be able to discriminate against their California employees if  they decide to exercise their right to know, right to delete, right to opt-out, as well as the new CPRA rights – to restrict disclosures and to correct personal information.

We will continue to update the status of the CPRA, its enforcement and any amendments to its current version.

[1] Prior to the passage of Prop 24 (CPRA), Governor Gavin Newsom signed AB1281 extending the exemption until January 1, 2022.

It goes without saying that November 3rd 2020 was an important day for the future of the nation, but it was also a significant day for the future of California privacy law.  On Tuesday, a strong majority of California voters supported Proposition 24, a ballot measure which aims to expand and enhance the California Consumer Privacy Act (“CCPA”).  The CCPA took effect in January and companies are still grappling with its compliance. Companies have overhauled their privacy programs and policies and designed new systems to comply with the CCPA, but now it looks like they will be back to the drawing board.

Proposition 24, titled the California Privacy Rights Act of 2020 (CPRA) (unofficially dubbed CCPA 2.0), amends the CCPA, which has been criticized for over broad definitions and ambiguous language. The CPRA expands the privacy rights of California residents and increases compliance obligations for companies.

Here are a few key aspects of the CPRA:

  • New type of personal information – “sensitive personal information”. This new subset of personal information includes data elements such as social security number, driver license number, and financial account number. However, perhaps following the General Data Protection Regulation (GDPR) in the European Union, the term also includes, without limitation, a consumer’s racial or ethnic origin, religious beliefs, union membership, the contents of a consumer’s email and text messages (unless the business is an intended recipient), genetic information, and a consumers sex life and sexual orientation.
  • New rights for consumers: limiting uses and disclosures and correcting inaccurate personal information.  For the new subset of personal information, sensitive personal information, California consumers will have the right to request limitations on the use and disclosure of that information. Also, consumers also will have the right to ask businesses to correct inaccurate personal information maintained by the business.
  • Changes to the Notice at Collection. Several changes and clarifications were made to the requirement to provide consumers a notice at collection. For example, the notice must now include a retention period for each category of personal information and sensitive personal information, or include criteria for determining the retention period if setting a retention period is not possible.
  • Enhanced protections for children’s data. The CPRA triples fines for collecting and selling information of minors under 16 years of age.
  • Creates enforcement arm. Establishes the California Privacy Protection Agency that, in addition to the California Department of Justice, will enforce and implement consumer privacy laws and impose fines.
  • Adds data retention requirement. Prohibits businesses’ retention of personal information or sensitive personal information for longer than reasonably necessary for the disclosed purpose for which the information was collected.
  • Adds a specific data security requirement. Prior to the CPRA, the CCPA did not expressly require businesses to maintain reasonable safeguards to protect personal information, although it added a private right of action for data breaches cause by a failure to maintain reasonable safeguards. The CPRA expressly requires businesses to implement reasonable security procedures and practices to protect personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code 1798.81.5.
  • Expands written agreement requirements. Businesses collecting personal information and then sharing/selling it to a third party, or disclosing it to a contractor or service provider will need to enter into written agreements that contain certain required provisions. A couple of the required provisions include (i) obligating the third party, contractor, or service provider to comply with CCPA/CPRA as applicable, and (ii) granting the business the right to take reasonable steps to ensure the third party, contractor, service uses the personal information consistent with CCPA/CPRA.
  • Increased exposure to liability in the event of a data breach. The CCPA included a private right of action in the event a business experienced a data breach affecting a subset of personal information due to the failure to have reasonable safeguards to protect that information, and the failure to cure following notice. The CPRA adds a consumer’s email with password or security question to the subset of personal information that, if breached, could trigger a private right of action, if a hacker was able to access a consumer’s email account. Also, the CPRA clarifies that implementing and maintaining reasonable security procedures and practices to protect personal information under Cal. Civ. Code 1798.81.5 following a breach will not be a cure with respect to that breach.
  • Extension of the employee personal information and “B2B” (business to business) exemptions. In September the California assembly passed AB1281, which extended the CCPA’s exemptions for employee personal information and “B2B” personal information to January 1, 2022 (both exemptions were set to sunset on January 1, 2021). The CPRA now extends that exemption until January 1, 2023. Note, that some employee and “B2B” personal information remains subject to the CCPA’s private right of action, if that personal information is involved in a data breach and reasonable safeguards were not put in place.

The CPRA becomes effective on or after January 1, 2022 (other than for access requests), but will not be operative until January 1, 2023.

“We are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data,” Alastair Mactaggart, chair of Californians for Consumer Privacy and Proposition 24 sponsor, said in a statement.

Companies will have to once again review their privacy programs and likely amend further to comply with CPRA’s new requirements. That said, the CPRA generally becomes operative January 1, 2023, and during that time California regulators are expected to provide additional information on compliance and enforcement implications of the new law.

Companies should continue to monitor CCPA/CPRA developments, and ensure their privacy programs and procedures remain aligned with current compliance requirements.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have issued a joint cybersecurity advisory stating they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. The advisory provides technical details on the threat from Ryuk ransomware and new Trickbot malware modules named Anchor. The anticipated threat posed by this malware and ransomware is using encryption to interfere with a hospital’s access to its systems and ability to provide care and holding a decryption key for ransom.

In addition to the technical details, the advisory identifies steps hospitals and healthcare providers should take to protect themselves from this cybercrime threat. Those steps include maintaining an up-to-date business continuity plan and other best practices.

Network Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to local administration being disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication (MFA) where possible.
  • Disable unused remote access or Remote Desktop Protocol (RDP) ports and monitor remote access or RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege necessary in mind.
  • Audit logs to ensure new accounts are legitimate.

Ransomware Best Practices

  • CISA, FBI, and HHS do not recommend paying ransoms. Further, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently issued an advisory alerting companies of the potential sanctions risk for facilitating ransomware payments.
  • Regularly back up data, air gap, and password-protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

User Awareness Best Practices

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats (such as ransomware and phishing scams) and how they are delivered.
  • Provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.

The advisory notes that addressing the risks posed by malware and ransomware attacks will be particularly challenging for hospitals and healthcare providers during the COVID-19 pandemic. Additional advice on avoiding and responding to an attack is available here. If you have questions about this advisory or how best to assess and manage the risks identified in the advisory, please contact a Jackson Lewis attorney.

 

Earlier this year, we reported on an evolution in the form of cyberattack known as ransomware –attackers transitioning from denying affected users access to critical data by encrypting it to removing data from the compromised systems and threatening public release in exchange for payment. These attacks typically target the companies maintaining the data. However, attackers may be adopting a new tactic when they do not get paid, targeting the individuals whose sensitive personal information was compromised.

According to reports, a healthcare provider in Finland was hacked and the attackers demanded 40 bitcoins (or about $525,000) on the threat of public disclosure of patient psychotherapy records. Businesses in the US hearing these facts might be thinking of the recent advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) alerting companies of the potential sanctions risk for facilitating ransomware payments. The 22-location psychotherapy provider, Vastaamo, refused to pay the ransom.

When the attackers did not get paid by the provider, patients began receiving emails demanding payment of smaller amounts to avoid disclosure. Reporting on this incident states:

Therapist session notes of some 300 patients have already been published on a Tor-accessible site on the dark web. Among the victims are Finnish politicians (e.g., Member of Parliament Eeva-Johanna Eloranta) and minors.

Not much is known yet about the nature of the attack and various governmental agencies are involved.

This incident reveals a troubling pattern of cyberattacks now extending to individuals served by the organizations compromised – patients, students, customers, members, employees, etc.

Organizations devote significant resources to securing their networks and protecting the data they maintain. While that is necessary, considering the nature of the threats and current trends, it likely is not sufficient. Incident response planning is critical, but it needs to be reevaluated and evolve as the threat landscape evolves.

There are many steps organizations could take to minimize the chance and impact of a successful attack, and to be prepared to respond. Situations like this emphasize the need to understand the individuals the organization serves, what their needs might be in a case like this, and how best to communicate with them efficiently.

Co-Author: Eric R. Magnus

The Eleventh Circuit Court of Appeals recently ruled that “incentive” or “service” awards to lead plaintiffs in Rule 23 class actions are unlawful. It is the first circuit court of appeals to expressly invalidate such awards as a matter of law. (Johnson v. NPAS Solutions, LLC, No. 18-12344, September 17, 2020).

In a suit brought under the Telephone Consumer Protection Act (TCPA), a divided circuit panel struck down a $6,000 award to a lead plaintiff and, for this and other reasons, vacated a federal court’s order approving a proposed $1.432 million settlement. (There were 179,642 potential class members, who would have received only $7.97, but only  9,543 class members who submitted claims, bringing their haul to what could have been “a whopping $79.”)

Supreme Court precedent. The U.S. Supreme Court prohibited the award of incentive payments to plaintiffs more than a century ago, calling this particular fee for services “decidedly objectionable,” the Eleventh Circuit noted (citing Trustees v. Greenough, 105 U.S. 527 (1882), along with Central Railroad & Banking Co. v. Pettus, 113 U.S. 116 (1885), issued on the heels of that decision. This controlling precedent precedes Rule 23 by decades, as the plaintiffs pointed out to no avail, in arguing that the decisions were nonbinding here. And these opinions seem to have gone unheeded in the 140 or so years since, the majority acknowledged, conceding that incentive awards are routine features of class settlements today.

“But, so far as we can tell, that state of affairs is a product of inertia and inattention, not adherence to law,” the court said, adding: “Although it’s true that such awards are commonplace in modern class-action litigation, that doesn’t make them lawful, and it doesn’t free us to ignore Supreme Court precedent forbidding them.”

The incentive award in this case is “part fee and part bounty,” according to the majority. Such awards amount to the kind of pay for services disfavored by the Supreme Court. What’s more, such fees are meant “to promote litigation by providing a prize to be won.”

Eleventh Circuit is an outlier. Judge Martin dissented on this point, and noted that the decision “takes our court out of the mainstream.” No other circuit court has barred incentive awards; in fact, “none has even directly addressed its authority to approve incentive awards,” she pointed out. Yet, as the majority countered, the courts appear to have abandoned the inquiry whether there is actually a legal basis for such awards, turning instead to the question whether such awards are fair.

Fee objection before fee petition? The appeals court also was troubled that, in granting preliminary approval to the slapdash settlement (over the objections of the appellant here), the district court effectively required class members to opt out or object to the attorney fee award even before class counsel filed their fee petition. The appeals court found a clear violation of Federal Rule of Civil Procedure 23(h) in setting the objection date prior to the motion for fees.

However, applying the harmless-error doctrine for the first time in the context of Rule 23(h), the court concluded that this error was harmless.

“Boilerplate” approval. In addition, the lower court violated the Federal Rules and circuit precedent more generally by failing to offer a reasoned explanation for its decision to approve the terms of a class settlement and to overrule objections. The appeals court recognized that the district court’s approach to evaluating the settlement was fairly common. Here again, though, as with the court’s approval of the incentive award, it is no answer to say, “That’s just how it’s done.”

“We don’t necessarily fault the district court—it handled the class-action settlement here in pretty much exactly the same way that hundreds of courts before it have handled similar settlements. But familiarity breeds inattention, and it falls to us to correct the errors in the case before us.”

Takeaways. As a practical matter, removing the prospect of service awards for Named Plaintiffs in class actions will impact the resolution of class actions within the Eleventh Circuit, adding further nuance to the negotiation of settlements and the drafting of settlement agreements.

This decision will also further increase judicial scrutiny of class action settlements in the Eleventh Circuit, which is a Circuit that, since its seminal decision in Lynn’s Foods, Inc. v. United States in 1982, has been active in scrutinizing the terms of employment class action settlements, particularly in the area of wage and hour settlements.

A critical question that remains unanswered is whether the majority’s rationale will be applied in the context of collective actions brought under Section 216(b) of the Fair Labor Standards Act (FLSA) or to the settlement of hybrid claims under both Rule 23 and Section 216(b).

It also remains to be seen if other federal circuits will find the Eleventh Circuit’s holding persuasive, and likewise opt to prohibit the use of incentive payments, or whether the Eleventh Circuit has further distanced itself from its sister circuits in closely scrutinizing class action settlement terms.